Sorry

Is the sky falling in on Google's Android Market? It was marketing 21 Trojans apps yesterday. Google didn't react to developers' complaints until the issue got popular on Reddit. Could it happen on the iOS App Store, or is Apple's lockdown too tight?

Google has pulled 21 rogue apps from the Android Market, because they contained malware. The Trojans would get root, transmit sensitive data, and download who-knows-what additional code. The Android marketplace is much more of a free-for-all than Apple's iOS App Store, which has its pros and cons. In IT Blogwatch, bloggers wonder what took Google so long.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention Fire Drill: In the A320 simulator with Captain Dave...

Apps released by developers under the names Kingmall2010?, we20090202?, and Myournet contain ... malware and have been pulled from the Android Market. ... The apps reportedly could compromise a users personal data. ... .

...

The malware attack shows that Androids big advantage ... openness that gives it an edge over Apple ... is also Androids biggest disadvantage. ... While Apple screens its apps, Google allows just about anybody to upload apps into the Android Market.

The pseudononymous lompolo sounded the alarm last night:

Someone just ripped off 21 popular free apps from the market, injected root exploits into them and republished. ... I just randomly stumbled into one of the apps, recognized it. ... The apps seem to be at least posting the IMEI and IMSI codes to [link redacted] which seems to be located in Fremont, CA. ... The apps are also installing another embedded app.

...

I just received a reply to an e-mail I sent out to one of the developers affected: ... "I have been trying for more than a week now to get Google to do something about it ... through every avenue I could think of, but haven't had a response yet."

...

Some sort of moderation, or at least quicker reaction to malware complaints would be nice.

Aand Aaron Gingrich and Justin Case analyze the code:

It does indeed root the users device via rageagainstthecage or exploid. But ... it does more than just yank IMEI and IMSI ... it steals nearly everything it can: product ID, model, partner (provider?), language, country, and userID. But ... the true pièce de résistance is that it has the ability to download more code ... the possibilities are nearly endless.

...

They've been pulled ... as well as remotely removing them from users devices. Unfortunately, that doesnt remove any code thats already been backdoored in. ... This is the ultimate Android Trojan to date, and its already been downloaded over 50,000 times.

...

The [list of] offending apps: ...

But Jolie O'Dell has radical advice:

If youve downloaded one of these apps, it might be best to take your device to your carrier and exchange it for a new one, since you cant be sure that your device and user information is truly secure. Considering how much we do on our phones  shopping and mobile banking included  its better to take precautions..

Jon Norris broadens his outlook:

This misadventure also highlights another reason why the Android Market isnt raking in nearly as much cash as the iOS App Store  the ease of piracy. ... A lot of criticism is levelled at Apple for their App Store submission policies, but you certainly wouldnt ever see this happening on their watch.

...

[This] has become such an issue on Android that Google announced not long ago it had an actual team of humans actively scouring the App Market. ... Why this specialist team didnt identify these nefarious Apps ... remains a mystery.

Meanwhile, Darlene Storm has tips on how Android users can protect themselves:

The trick is to pay attention while the app is installing, since the malicious app will ask for excessive permissions. ... Hackers tweaking legitimate apps to carry Trojans is not a new idea and smartphones will continue to be targeted for mobile malware.

Richi Jenningsis an independent analyst/consultant, specializing in blogging, email, and security. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email: itbw@richij.com.

Richi Jennings — Your humble blogwatcher is an independent analyst/consultant, specializing in blogging, email, spam, and other security topics. He was voted 'Most likely to get up first to sing at karaoke' for 14 years in succession.